E-mail Exposure
Is Your Business Threatened
by Forwarding Procedures?

By CJ Simmons

Mobile devices and the proliferation of WiFi hotspots (which enhance Internet connectivity) have increased the convenience of working remotely.

Working outside of the office, however, poses challenges for many individuals whose employers don’t offer outside access to corporate e-mail. As a result, the practice of forwarding business e-mail to a personal, web-accessible e-mail account (such as AOL, Yahoo, Gmail, etc.) is becoming more common.

Often, employees set up an “auto-forward” in Outlook. The auto-forward takes any message received in their business e-mail account and automatically forwards (or redirects) it to another e-mail account. Employees can reply to the message from their personal account and continue the chain of communication with outside customers, vendors and other contacts. Voila! Problem solved, right?

Maybe … or maybe not. At first the practice of forwarding e-mail messages may seem to be minor in the grand scheme of things. But the thought of compromising network security
distresses most IT professionals. There is validity to their concerns.

Once an e-mail message leaves the corporate network, it no longer benefits from the protections put in place by your IT staff. Aside from perhaps the most obvious concern of a virus infecting the message or another nasty Internet threat, there are other not-so-obvious issues that companies should consider.

Regulatory Compliance: There are a number of privacy and corporate governance regulations that apply to e-mail services, and the list of such laws is likely to grow. The Securities and Exchange Commission and the Health Insurance Portability and Accountability Act are just two examples in which specific requirements for e-mail encryption, storage and archival have been defined. When the chain of e-mail communication is moved outside a company’s technology boundary, the company loses the ability to control and comply with these regulatory requirements.

Confidentiality: Personal, web-based e-mail applications do not have the level of security built in to ensure the privacy of confidential information. Competent hackers at a WiFi hotspot can intercept e-mail communication as it travels “over the air.” As you open and reply to e-mail through a personal account, hackers may be able to collect private information about the employee, your company and the person with whom you are communicating.

Information Ownership: Various legal rulings have made it clear that business e-mail messages are owned by the company, not the individual. E-mail messages have become an important component of a company’s documentation trail. When the e-mail communication chain no longer resides within the confines of the company, the ownership of that documentation trail can be questioned.

So, what can a business do to minimize exposure to these risks?

• Use an enterprise e-mail solution such as an in-house Exchange server or a hosted solution designed for business use. Enterprise systems such as Exchange can prohibit automatic forwarding to an Internet-based e-mail address. Don’t be fooled into thinking only large companies can afford an enterprise e-mail solution. Software vendors and service providers have made great strides in making enterprise solutions affordable for any small business.
• Provide employees with secure Internet access to their business e-mail outside the office. Completely eliminate the need for employees to resort to other measures such as e-mail forwarding! You should discuss options such as Outlook Web Access, Remote Web Workplace, VPN, Citrix, SharePoint and others with your IT department to determine which ones could be implemented, based on your business needs.
• Create and enforce an “acceptable use policy” for computer resources (including Internet and e-mail). Take the cue from school systems. Most schools from the elementary level through colleges and universities have “acceptable use policies” in place for the use of school computer resources by students. Clearly spell out in your company’s policy that employees may not forward e-mail from their business account to a personal e-mail account, and the consequences for violating the policy.

Large or small, every company that communicates by e-mail needs to consider this topic and just how much exposure your business faces when employees forward e-mail messages to personal accounts.

Author: CJ Simmons is the owner of CM IT Solutions of Greater Indianapolis, which offers technology solutions for small- and medium-sized businesses. She can be reached at (317) 566-9622 or at http://Indianapolis.cmitsolutions.com

[Back to Your Web Exclusives]